Apple Patches Multiple Vulnerabilities in iOS, OS X

Apple has released a series of updates for the iOS and OS X platforms, aimed at resolving a series of security vulnerabilities in both products.

Published on Tuesday, the security advisory for the iOS update reveals a set of 13 patches included in the package, meant to resolve issues in Disk Images, IOHIDFamily, IOKit, Kernel, libxslt, syslog, WebKit, WebKit CSS, and WebSheet. The security fixes were included in the iOS 9.2.1 platform release, which is now available for download for compatible devices.

Of the resolved issues, 11 could result in arbitrary code execution, one would allow access to user's cookies, while another would allow websites to know if the user has visited a given link. According to Apple, devices affected by these vulnerabilities include iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later.

WebKit was the most impacted component, with 5 vulnerabilities (CVE-2016-1723, CVE-2016-1724, CVE-2016-1725, CVE-2016-1726, CVE-2016-1727) patched in it as part of the new update, all of which were discovered by Apple’s employees. The team found multiple memory corruption issues in WebKit that could allow attackers to execute arbitrary code if the victim visited maliciously crafted website, and addressed them through improved memory handling.

A privacy issue (CVE-2016-1728) in WebKit CSS was also addressed in the new round of updates, one that could result in websites knowing if the user has visited a given link. The problem was found in the handling of the "a:visited button" CSS selector when evaluating the containing element's height, and was addressed via improved validation.

The WebSheet flaw (CVE-2016-1730) could allow a malicious captive portal to access the user's cookies, and was resolved through an isolated cookie store for all captive portals. The vulnerability in libxslt (CVE-2015-7995) could lead to arbitrary code execution when visiting a maliciously crafted website and improved memory handling resolved it.

The Disk Images (CVE-2016-1717), IOHIDFamily (CVE-2016-1719), IOKit (CVE-2016-1720), Kernel (CVE-2016-1721), and syslog (CVE-2016-1722) issues allow a local user to execute arbitrary code with kernel or root privileges, Apple reveals. All five security flaws were caused by memory corruption issues and were addressed through improved memory handling.

The advisory published for the new OS X El Capitan 10.11.3 release reveals that 9 flaws were patched in Apple’s desktop platform. However, six of them were vulnerabilities common with iOS, namely Disk Images (CVE-2016-1717), IOHIDFamily (CVE-2016-1719), IOKit (CVE-2016-1720), Kernel (CVE-2016-1721), libxslt (CVE-2015-7995) and syslog (CVE-2016-1722),

The remaining three included a bug in AppleGraphicsPowerManagement (CVE-2016-1716) and a vulnerability in IOAcceleratorFamily (CVE-2016-1718) that could allow a local user to execute arbitrary code with kernel privileges, as well as a flaw in OSA Scripts (CVE-2016-1729) that could allow a quarantined application to override OSA script libraries installed by the user.

The arbitrary code execution issues were addressed through improved memory handling, while the bug in OSA Scripts, which existed when searching for scripting libraries, was addressed through improved search order and quarantine checks. All bugs affect OS X El Capitan v10.11 to v10.11.2, except for the libxslt vulnerability, which was found in OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5 as well.

In addition to these iOS and OS X updates, Apple also announced the release of Safari 9.0.3, which included patches for the aforementioned WebKit (CVE-2016-1723, CVE-2016-1724, CVE-2016-1725, CVE-2016-1726, CVE-2016-1727) and WebKit CSS (CVE-2016-1728) flaws. They were found to affect OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.2.

The patched software products are already available for download, and users are advised to update as soon as possible to ensure they remain protected.

Last week, Synack's Patrick Wardle discovered a new technique to bypass OS X’s Gatekeeper security feature, which was designed to protect users against malware downloaded from the Internet by blocking applications that come from unknown developers and the ones that have been tampered with. At the end of September, the same researcher warned about another Gatekeeper bypass issue.

Last month, Apple patched over 100 vulnerabilities in its platforms with the release of OS X El Capitan 10.11.2 and iOS 9.2, including 54 issues in the former and 50 flaws in the latter, including WebKit vulnerabilities that affected Safari, and which were addressed in version 9.0.2 of the browser. In late October, Apple patched 110 security bugs in OS X and iOS, one week after patching 4 flaws in Keynote, Numbers, and Pages productivity apps.